Android Enterprise feature list

This page lists the complete set of Android Enterprise features.

If you intend to manage more than 1000 devices, your EMM solution must support
all the standard features (star)
of at least one solution set before it can be made commercially available. EMM
solutions that pass standard feature verification are listed in Android's
Enterprise Solutions Directory
as offering a Standard Management Set.

1.3. NFC device provisioning

Android version

Work profile

Fully managed device

Dedicated device

6.0+

remove_circle_outline

star_border

star_border

IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning
app to provision a device, according to the implementation guidelines defined in
the Android Management
API developer documentation.

1.3.1. The NFC provisioning app must be published to Google Play, and must use
provisioning extras to pass all non-sensitive registration details (e.g. server
IDs, enrollment IDs) to a device. Registration details shouldn't include
sensitive information, such as passwords or certificates.

1.4. QR code device provisioning

Android version

Work profile

Fully managed device

Dedicated device

7.0+

remove_circle_outline

star_border

star_border

IT admins can use new or factory-reset device to scan a QR code generated by the
EMM's console to provision the device, according implementation guidelines
defined in the
Android Management API developer documentation.

1.4.1. The QR code must use provisioning extras to pass all non-sensitive
registration details (e.g. server IDs, enrollment IDs) to a device. Registration
details must not include sensitive information, such as passwords or
certificates.

1.5. Zero-touch enrollment

Android version

Work profile

Fully managed device

Dedicated device

8.0+ (Pixel 7.1+)

remove_circle_outline

star_border

star_border

IT admins can preconfigure devices purchased from
authorized
resellers and manage them using your EMM console.

Password expiration timeout: Coupled with the compliance enforcement
feature, this forces the user to periodically update their password according to
the admin-specified timeout. IT admins must be able to disable this
feature.

Password history length: Specifies the length of time before a user can
re-use any given password. IT admins must be able to disable this feature.

Maximum failed passwords for wipe: Specifies the number of times
the user can enter an incorrect password before corporate data is wiped from the
device. IT admins must be able to disable this feature.

2.4. Smart lock management

Android version

Work profile

Fully managed device

Dedicated device

6.0+

star_border

star_border

star_border

The Android Management API doesn't currently support this feature.

2.5. Wipe and lock

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star

star

star

IT admins can use the EMM's console to remotely lock and wipe work data from a
managed device.

2.6. Compliance enforcement

If a device is not compliant with security policies, compliance rules
put in place by the Android Management API automtically restrict access to work
data.

2.6.1. At minimum, the security policies enforced on a device must include
password policy.

2.7. Default security policies

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star

star

star

EMMs must enforce the specified security policies on devices by default,
without requiring IT admins to configure or customize any settings in the EMM's
console. EMMs are encouraged (but not required) to not allow IT admins to change
the default state of these security features.

2.7.1. Installing apps from unknown sources must be blocked. This subfeature
is supported by default.

2.7.2. Access to debugging features must be blocked. This subfeature
is supported by default.

2.8. Security policies for dedicated devices

Android version

Work profile

Fully managed device

Dedicated device

6.0+

remove_circle_outline

remove_circle_outline

star

Users can't escape a locked down dedicated device to enable other actions.

2.9. SafetyNet Support

SafetyNet is enabled by default. No additional implementation is
required.

2.10. Verify Apps enforcement

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

IT admins can enable Verify Apps
on devices. Verify Apps scans apps installed on Android devices for malware
before and after they're installed, helping to ensure that corporate data can't
be compromised by malicious apps.

2.13. Enterprise security logging

3. Account and app management

3.1. Managed Google Play accounts enterprise enrollment

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star

star

star

IT admins can create a managed Google Play Accounts enterprise—an entity that
allows managed Google Play to distribute apps to devices. The following
enrollment stages must be integrated into the EMM's console:

3.2.1. Managed Google Play accounts (user accounts) are automatically created
when devices are provisioned.

The Android Management API supports this feature by default. No additional
implementation is required.

3.3. Managed Google Play device account provisioning

Android version

Work profile

Fully managed device

Dedicated device

5.0+

remove_circle_outline

remove_circle_outline

star

The EMM can create and provision managed Google Play device accounts. Device
accounts support silently installing apps from the managed Google Play store,
and are not tied to a single user. Instead, a device account is used to identify
a single device to support per-device app distribution rules in dedicated device
scenarios.

3.3.1. Managed Google Play accounts are automatically created when devices are
provisioned.

The Android Management API supports this feature by default. No additional
implementation is required.

3.4. Managed Google Play account provisioning for legacy devices

Android version

Work profile

Fully managed device

Dedicated device

5.0 and below

remove_circle_outline

remove_circle_outline

remove_circle_outline

The Android Management API doesn't support this feature.

3.5. Silent app distribution

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star

star

star

IT admins can silently distribute work apps on users' devices without any user
interaction.

3.5.1. The EMM's console must use the Android Management API
to allow IT admins to install work apps on managed devices.

3.5.2. The EMM's console must use the Android Management API
to allow IT admins to update work apps on managed devices.

3.5.3. The EMM's console must use the Android Management API
to allow IT admins to uninstall apps on managed devices.

3.6. Managed configuration management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star

star

star

IT admins can view and silently set managed configurations for any app that
supports managed configurations.

3.6.1. The EMM's console must be able to retrieve
and display the managed configuration settings of any Play app.

3.6.2. The EMM's console must allow IT admins to set any configuration type (as
defined by the Android framework) for any Play app using the Android Management
API.

3.6.3. The EMM's console must allow IT admins to set wildcards (e.g.
$username$ or %emailAddress%) so that a single configuration for an app such as
Gmail can be applied to multiple users.

3.7. App catalog management

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star

star

star

This feature is not applicable to the Android Management API.

3.8. Programmatic app approval

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

star_border

The EMM's console uses the managed Google Play iframe to support Google Play's
app discovery and approval capabilities. IT admins can search for apps,
approve apps, and approve new app permissions without leaving the EMM's console.

3.9. Basic store layout management

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star

star

remove_circle_outline

End users can use the managed Google Play store app on their device to install
and update work apps. By default, the managed Google Play store displays all
apps approved for a user in a single list. This layout is referred to as basic
store layout.

3.9.1. The EMM's console should allow IT admins to manage the apps visible in an end user's basic store layout.

3.10. Advanced store layout configuration

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

remove_circle_outline

This Android Management API does not currently support this feature.

3.11. App license management

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

star_border

This Android Management API doesn't currently support this feature.

3.12. Google-hosted private app management

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

star_border

IT admins can update Google-hosted private apps through the EMM console instead
of through the Google Play console.

3.13. Self-hosted private app management

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

star_border

IT admins can configure and publish self-hosted private apps. Unlike
Google-hosted private apps, the APKs are not hosted by Google Play. Instead,
the EMM helps IT admins host APKs themselves, and helps protects self-hosted
apps by ensuring they can only be installed when authorized by managed Google
Play.

3.13.1. The EMM's console must help IT admins host the app APK, by offering both
of the following options:

Hosting the APK on the EMM's server. The server can be on-premise or
cloud-based.

Hosting the APK outside of the EMM's server, at the discretion of the
customer. The enterprise customer must specify in the EMM console where the
APK is hosted.

3.13.2. The EMM's console must generate an appropriate APK definition
file using the provided APK
and must guide IT admins through the publishing process.

3.13.4. The EMM's server only serves download requests for the self-hosted APK
that contain a valid JWT within the request's cookie, as verified by the
private app's public key.

To facilitate this, the EMM's server must guide IT admins to download the
self-hosted app's license public key from the Play Developer Console, and
upload this to the EMM console.

3.14. EMM pull notifications

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star_border

star_border

star_border

This feature is not applicable to the Android Management API.

3.15. API usage requirements

Android version

Work profile

Fully managed device

Dedicated device

remove_circle_outline

star

star

star

The EMM implements Android Management APIs at scale, avoiding traffic
patterns that could negatively impact customers' ability to manage apps in
production environments.

3.15.1. The EMM must adhere to the Android Management API
usage limits. Failure to correct behavior that exceeds these guidelines may
result in suspended API access, at Google's discretion.

3.15.2. The EMM should distribute traffic from different customers throughout
the day, rather than consolidating all customers' traffic at specific or similar
times. Behavior that fits this traffic pattern, such as scheduled batch
operations for all enrolled customers, may result in suspend API access, at
Google's discretion.

3.15.3. The EMM should not make consistent, incomplete or deliberately incorrect
requests that make no attempt to retrieve or manage actual customer data.
Behavior that fits this traffic pattern may result in suspended API access, at
Google's discretion.

4. Device management

4.1. Runtime permission policy management

Android version

Work profile

Fully managed device

Dedicated device

6.0+

star

star

star

IT admins can silently set a default response to all runtime permission requests
made by work apps.

4.1.1. IT admins must be able to choose from the following options when setting
a default runtime permission policy for their organization:

4.4. WiFi security management

IT admins can provision enterprise WiFi configurations
on devices that include the following advanced security
features:

4.4.1. Identity

4.4.2. Certificates for client authorization

4.4.3. CA certificates

4.5. Advanced WiFi management

Android version

Work profile

Fully managed device

Dedicated device

6.0+

remove_circle_outline

star_border

star_border

IT admins can lock down WiFi configurations on managed devices, to prevent users
from creating new configurations or modifying corporate configurations.

4.5.1. IT admins can lock down corporate WiFi configurations via
policy in either
of the following configurations:

Users cannot modify any WiFi configurations provisioned by the EMM (see
wifiConfigsLockdownEnabled), but
may add and modify their own user-configurable networks (for instance
personal networks).

Users cannot add or modify any Wi-Fi network on the device
(see wifiConfigDisabled), limiting Wi-Fi connectivity to just those
networks provisioned by the EMM.

4.6. Account management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

IT admins can ensure that only authorized corporate accounts can interact with
corporate data, for services such as SaaS storage and productivity apps, or
email. Without this feature, users can add personal accounts to those
corporate apps that also support consumer accounts, enabling them to share
corporate data with those personal accounts.

When enforcing this policy on a device, EMMs must set this restriction
before provisioning is complete, to ensure users cannot circumvent this
policy by adding accounts before the policy is enacted.

4.7. G Suite account management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

remove_circle_outline

The Android Management API doesn't support this feature.

4.8. Certificate management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

Allows IT admins to deploy identity certificates and certificate authorities to
devices in order to enable access to corporate resources.

4.8.1. IT admins can install user identity certs
generated by their PKI on a per-user basis. The EMM's console must integrate
with at least one PKI and distribute certificates generated from that
infrastructure.

4.9. Advanced certificate management

Android version

Work profile

Fully managed device

Dedicated device

7.0+

star_border

star_border

star_border

Allows IT admins to silently select the certificates that should be used by
specific managed apps. This feature also grants IT admins the ability to remove
CAs and identity certs from active devices, and prevent users from modifying
credentials stored in the managed keystore.

4.9.1. For any app distributed to devices, IT admins can specify a certificate
that the app will be silently granted access to during runtime. (This
subfeature is not currently supported)

Certificate selection must be generic enough to enable a single
configuration that applies to all users, each of which may have a
user-specific identity certificate.

4.9.3. IT admins can silently uninstall a CA certificate. (This subfeature is
not currently supported)

4.9.4. IT admins can prevent users from configuring credentials
(see credentialsConfigDisabled) in the managed keystore.

4.10. Delegated certificate management

Android version

Work profile

Fully managed device

Dedicated device

6.0+

star_border

star_border

star_border

IT admins can distribute a third-party certificate management app to devices and
grant that app privileged access to install certificates into the managed
keystore.

4.10.1. IT admins can specify a certificate management package
(see delegatedCertInstallerPackage) to be set as the delegated certificate
management app.

The EMM's may optionally suggest known certificate management packages, but
must allow enterprise admin to choose from the list of all apps available
for install, for applicable users.

4.11. Advanced VPN management

Android version

Work profile

Fully managed device

Dedicated device

7.0+

star_border

star_border

star_border

Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will always go through a configured VPN.
Note: this feature requires deploying a VPN client that
supports both Always On and per-app VPN features.

The EMM's console may optionally suggest known VPN packages that support
Always On VPN, but can't restrict the VPNs available for Always On configuration
to any arbitrary list.

4.11.2. IT admins can use managed configurations to specify the VPN settings for
an app.

4.12. IME management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

remove_circle_outline

remove_circle_outline

IT admins can control what input methods (IMEs) users can configure for their
devices. Since the IME is shared across both work and personal profiles,
blocking access to IMEs will prevent users from enabling those IMEs for personal
use as well. IT admins may not, however, block access to system IMEs on work
profiles (see advanced IME management for more details).

4.12.1. IT admins can configure an IME whitelist
(see permitted_input_methods) of arbitrary length (including an empty list,
which blocks all non-system IMEs), which may contain any arbitrary IME packages.

The EMM's console may optionally suggest known or recommended IMEs for
whitelisting, but must allow IT admins to choose from the list of all
apps available for install, for applicable users.

4.12.2. The EMM must inform IT admins that system IMEs are excluded from
management on devices with work profiles.

4.13. Advanced IME management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

remove_circle_outline

star_border

star_border

IT admins can control what input methods (IMEs) users can configure for their
device. Advanced IME management extends the basic feature by enabling IT admins
to manage access to system IMEs as well, which are typically provided by the OEM
or carrier of the device.

4.13.1. Enterprise admin can configure an IME whitelist
(see permitted_input_methods) of arbitrary length (excluding an empty list,
which blocks all IMEs including system IMEs), which may contain any arbitrary
IME packages.

The EMM's console may optionally suggest known or recommended IMEs for
whitelisting, but must allow IT admins to choose from the list of all apps
available for install, for applicable users.

4.13.2. EMM must prevent IT admins from configuring an empty whitelist, as this
will block all IMEs including system IMEs from being configured on the device.

4.13.3. EMM must ensure that if an IME whitelist does not contain system IMEs,
that the third-party IMEs are silently installed before the whitelist is applied
on the device.

4.14. Accessibility services management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

IT admins can control what accessibility services
can be enabled on users' devices. While accessibility services are powerful
tools for users with disabilities or that are temporarily unable to fully
interact with their device, they may interact with corporate data in ways that
are non-compliant with corporate policy. This feature allows admins to disable
any non-system accessibility service.

4.14.1. IT admins can configure an accessibility service whitelist
(see permittedAccessibilityServices) of arbitrary length (including an empty
list, which blocks all non-system accessibility services), which may contain any
arbitrary accessibility service package.

Console may optionally suggest known or recommended accessibility services
for whitelisting, but must allow enterprise admin to choose from the list of
all apps available for install, for applicable users.

4.15. Location sharing management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

remove_circle_outline

remove_circle_outline

IT admins can prevent users from sharing location data with apps in the work
profile. Otherwise, the work profile location setting is user configurable in
Settings.

4.16. Advanced location sharing management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

remove_circle_outline

star_border

star_border

IT admins can enforce a given location sharing setting on a managed device. This
feature can ensure, for example, that corporate apps always have access to high
accuracy location data, or that users don't consume extra battery by restricting
location settings to battery saving mode.

Sensors only, for instance GPS, but not including network-provided
location.

Battery saving, which limits the update frequency.

Off.

4.17. Factory reset protection management

Android version

Work profile

Fully managed device

Dedicated device

5.1+

remove_circle_outline

star_border

star_border

Enables IT admins to protect company-owned devices from theft by ensuring only
authorized users can factory reset devices. Admins can also disable
factory reset protection entirely, if it introduces operational complexities
when devices are returned to IT.

4.19. Screen capture management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

IT admins can block users from taking screenshots when using managed apps. This
includes blocking screensharing apps and similar apps (such as Google Assistant)
that leverage the system screenshot capabilities.

4.27.5. IT admins can enable the system recommendation for apps to skip their
user tutorial and other introductory hints on first start-up (see
skip_first_use_hints).

5. Device usability

5.1. Managed provisioning customization

Android version

Work profile

Fully managed device

Dedicated device

7.0+

star_border

star_border

star_border

IT admins can modify the default managed provisioning flow UX to include
enterprise-specific features. Optionally, admins can display EMM-provided
branding during provisioning.

5.1.1. IT admins can customize the provisioning process by specifying the
following enterprise-specific details:
enterprise color (see primaryColor), enterprise logo (see logo),
enterprise terms of service and other disclaimers (see termsAndConditions).

5.1.2. IT admins can deploy a non-configurable, EMM-specific customization
that includes the following details: EMM color (see primaryColor), EMM logo
(see logo), EMM terms of service and other disclaimers (see termsAndConditions).

EMMs may set their non-configurable, EMM-specific customization as the
default for all deployments, but must allow admins to configure their own
customization.

5.2. Enterprise customization

Android version

Work profile

Fully managed device

Dedicated device

7.0+

star_border

remove_circle_outline

remove_circle_outline

The Android Management API doesn't support this feature.

5.3. Advanced enterprise customization

Android version

Work profile

Fully managed device

Dedicated device

7.0+

remove_circle_outline

star_border

remove_circle_outline

The Android Management API doesn't support this feature.

5.4. Lock screen messages

Android version

Work profile

Fully managed device

Dedicated device

7.0+

remove_circle_outline

star_border

star_border

IT admins can set a custom message that's always displayed on the device lock
screen, and does not require device unlock to be viewed.

5.5. Policy transparency management

5.6. Cross-profile contact management

Android version

Work profile

Fully managed device

Dedicated device

7.0+

star_border

remove_circle_outline

remove_circle_outline

IT admins can control what contact data can leave the work profile. Both
telephony and messaging (SMS) apps must run in the personal profile, and
require access to work profile contact data to offer functionality for work
contacts, but admins may choose to disable these features to protect work data.

5.9. Lock task mode management

IT admins can lock an app or set of apps to the screen, and ensure that users
can't exit the app.

5.9.1. The EMM's console allows IT admins to silently enable an arbitrary set of
apps to install and lock to a device. Lock task mode is enabled by via
policy.

5.10. Persistent preferred activity management

Android version

Work profile

Fully managed device

Dedicated device

5.0+

star_border

star_border

star_border

Allows admins to set an app as the default intent handler for intents that match
a certain intent filter. For example, this would allow admins to choose which
browser app automatically opens all web links, or which launcher app is used
when the user hits the home button.